Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

Sparrowvsrevolution writes with news of some particularly insecure security cameras. From the article: "Eighteen brands of security camera digital video recorders are vulnerable to an attack that would allow a hacker to remotely gain control of the devices to watch, copy, delete or alter video streams at will, as well as to use the machines as jumping-off points to access other computers behind a company's firewall, according to tests by two security researchers. And 58,000 of the hackable video boxes, all of which use firmware provided by the Guangdong, China-based firm Ray Sharp, are accessible via the Internet. Early last week a hacker who uses the handle someLuser found that commands sent to a Swann DVR via port 9000 were accepted without any authentication. That trick would allow anyone to retrieve the login credentials for the DVR's web-based control panel. To compound the problem, the DVRs automatically make themselves visible to external connections using a protocol known as Universal Plug And Play, (UPnP) which maps the devices' location to any local router that has UPnP enabled — a common default setting. ...Neither Ray Sharp nor any of the eighteen firms have yet released a firmware fix."

Of course the Chinese can't afford to see the U.S. banking system collapse. Just turn around almost everything you can touch. Can you see where it is being manufactured? Who's going to buy the stuff if no one has any money left?

they are when that one country represents nearly their entire customer base.they are when that one country represents nearly all of the manufacturing contracts for products "made in china".if the US goes down, China goes with it. China is trying to grow their economcy, not kill it and cause another revolution.

Sounds like bullshit. The USA owes its creditors mostly in US dollars.Say the USA owes you 2 trillion and you're stupid enough to try forcing them to pay up right now. If you're _unlucky_ instead of saying "Fuck off, we'll pay you when its due" the US Gov will tell the Federal Reserve to create the 2 trillion or so to pay you back now.

The Chinese Gov isn't that stupid. They haven't converted enough of their US dollars to tangible stuff yet.

Paulson is just trying to make himself out to be some sort of savior when in reality only if the Chinese were seriously fucking retarded would they even consider such a frankly ignorant move and I can't picture the Russians being that fucking stupid either.

One thing that should be as plain as the nose on your face is that kind of collapse NEVER stays local, it ALWAYS spreads. One need only look at the crash of 29 which even at the much slower pace of communications had spread across the globe in less than a

What, nobody has complained about this being an intentional backdoor yet? The Chinese are out to get us.

I'm inclined to keep "Never attribute to malice something much stupider than malice would have implemented" in mind as a variant on the usual phrase.

Given the hordes of profit-driven, variously political, and simply lulz-oriented attackers on the internet, relatively blatant backdooring(when you are in the privileged position of being the guys shipping the firmware, no less, hard to ask for more insider access than that) amounts to squandering an advantage. Had the units shipped with, say, a bugged sshd that is hardcoded to always allow access via keypair auth with a specific private key, it is both much more likely that nobody would ever have noticed, and that nobody but the intended attacker would ever have been able to make use of the vulnerability. A wholly unauthenticated hole, on the other hand, is an open invitation to every bot-herder and na'er-do-well on the planet to come and have a rummage through the systems, leading to much greater competition for the creator of the backdoor.

Consumers want it to "just work" When that's delivered, they complain. Delivering what the customer asks for (even if they are wrong) isn't malice. It's a deliberate feature. "How do I make this as easy as possible for the owner to control it from anywhere on the Internet?" It wasn't a hidden feature, it was an unintended side effect of a deliberate feature. Like a cat door in the front door that's big enough for a regular sized person. It wasn't hidden, ans was probably explicitly advertised (UPnP,

Well... If you plug your random DVR (or print server, or any device for that matter) tcp port through your router, you deserve what you get. If you leave upnp on, you deserve what you get. Openvpn costs nothing.

So there I was, trying to retrieve the video of the suspect for the cops, and it turns out that recording had been turned off on all 16 cameras 12 hours before the incident.

No network issue here, I never connected the system to the network.

One of the last things the system recorded, was the wee little hands of the owner's 4 year old grandson, playing with the mouse. He made all 16 little boxes in the status grid turn black. Just 16 little clicks.

yep. I can see that happening again... and coincidentally I just finished firing off an email to an up and coming IP camera and managed wifi vendor that provides free NVR and WAP controller software... too bad none of their "server" software installs as a service. So not even a CHANCE of hiding it from little hands. (unless you want to jump through a bunch of hoops to force it into service mode)

And in this case all the kid would have had to do was THREE clicks to log grandpa's PC off. (thus shutting down t

Why would you let your kid use the same user account as yourself (or grandpa). Are you a fan of deleted documents? Just make a separate account for DVR, leave the soft running and fast-user-switch out of it. And a separate restricted accoun for the kid.

And on a side note - if the computer recording your cameras is in a place where a 3 year old can access it, this computer will probably be the very first thing stolen - so i think you are making this crap up.

And on a side note - if the computer recording your cameras is in a place where a 3 year old can access it, this computer will probably be the very first thing stolen - so i think you are making this crap up.

Nobody said Grandpa was smart or thought his cunning plan through... LOL

One of the last things the system recorded, was the wee little hands of the owner's 4 year old grandson, playing with the mouse. He made all 16 little boxes in the status grid turn black. Just 16 little clicks.

I got a hold of one (ZModo) and after putting a known good hard drive in it it worked for a while and then suddenly the SATA controller must have fried. It will no longer recognize any hard disk. Since I didn't pay all that much for it, I pretty much consider it disposable. I'll probably end up using the cheap cameras I got on something a little less flaky.

We bought a 24 channel q-see brand DVR. When it went to boot up, during disk initialization, it specifically mentioned '/dev/sda' and such, so I knew it ran some embedded Linux. I decided to check it out via nmap to see if there was anything interesting running. Port 23 was open. I telnet-ed into the damn thing and was able to log into root with no password. Needless to say, that was fixed.

The soul-crushing thing about your story is that it suggests that somebody deliberately went to additional effort to build/install a telnet daemon while hacking the firmware together. That's just sick and wrong.

Not to mention a godsend and a timesaver for debugging. Every embedded application I've ever made whether linux based or some tiny microcontroller on a UART had some terminal based debugging interface.

I'm willing to bet that this is just a leftover from testing that shouldn't have made it out the door.

From what I saw while poking around the system, it looks like telnet is just a leftover from development that should have been removed. If it really were malicious, I would expect it to be more well hidden.

Port knocking is where the inbound system won't connect until a series of unsuccessful attempts is tried on a known sequence of ports - the system will open the door only when the visitor gives the "secret knock".

For example, a system won't normally accept connection requests. If the visitor attempts (unsuccessfully) ports 1010, 1050, 3042, and 4725 in that order, the system then accepts a connection at port 9000. (Use different numbers and length as needed for security.)

It is nigh impossible for a security audit to detect this type of camouflage. This technique has been well-known for years.

If China were putting back-doors in hardware systems, they could make them virtually impossible to find.

That's circumstantial evidence that this isn't a case of espionage on the part of the manufacturer. It's more likely a flaw in the software or a debugging port that wasn't compiled out in the released version.

My company develops a CCTV DVR/NVR. It's GNU/Linux based, we keep it up to date by offering free updates for life. Upgrades are not a huge firmware blob you need to download and then install (something customers won't do), It's a simple package (we use our own pkg management, and it's slackware-like), usually a few mb of download, but to the customer it's transparent. They just get a warning when they log-in, and the system lets them know via e-mail there are available updates, they can install them with a single click. The whole system is web-based, HTML5, and works out of the box on anything Gecko or Webkit based plus Opera (IE not supported). We don't require additional ports, everything works through a single HTTP port. Everything is session-based. We force the customer to use secure passwords, and to change them frequently. We use uPNP to open that single port, but that's when the customer runs the setup wizard, and we explain what we are going to do, and request customer authorization.

It's easy to do the right thing, and if the manufacturer does the right thing, you don't need any additional security (for example, you don't really need to firewall the damn DVR). Sadly, most manufacturers don't do the right thing. They don't even bother providing upgrades. And the customers don't usually care, even when you offer a better solution, most will go with the generic chinese crap just because it's a few dollars cheaper. That's why more secure and functional solutions such as ours are usually only found in corporations (95% of our customer base).

This issue is not restricted to DVRs, China doesn't give a fuck, and people in general only care about the price tag. That's a deadly combination for the technology used by 90% of the population.

You can disable password expire and strength policies, or change them at will in the config. There is a HUGE warning in that page. When the customer uses the product for the first time, there's a wizard that guides them through this process, and it asks them if they want the product to be exposed to the net, then provides the option to try and autoconfigure everything using upnp, or to go to our website to read a guide on how to configure port forwarding on most routers. Same for our free DDNS service, it's

We've been doing so since '08. We have four major products (our DVR/NVR family of products,an e-learning platform, an ERP, and a Digital Signage solution). If you access any of our products with IE it'll send you to a landing page explaining why it's not supported, why it's a bad idea to use it, and providing alternatives, plus links and easy installation instructions for every platform. Many people told us that policy would doom us. To the contrary, people loved the idea, and to this day we get emails from

We force the customer to use secure passwords, and to change them frequently.

Frequent changes will force them to write them down. Congratulations, you have just made it less secure.OTOH you can just claim you did what was needed and that what they do is THEIR problem, just like everybody else does.

Not factoring in human behavior in security is solving a social problem with a technical solution.

I'm not saying that port knocking should be the product API. Port knocking is a terrible security measure.

I'm saying that a backdoor could be hidden in such a way that it would be impossible to find - and port knocking is one of those methods. It's simple and effective - even if it's "security by obscurity".

Since this exploit is not well hidden, chances are it isn't a purpose-built backdoor, but more likely an oversight of some kind.

I thought the same approach could be used with user authentication on websites. You enter your (correct) password, it kicks you out saying "wrong password". You enter it a second time, this time is accepts you.

Right there, you've doubled the amount of time to bruteforce your password.

Or you could combine the port knocking approach. Pick 2 simple passwords. Enter first password, and get a "wrong password" message, enter the second password and you're accepted.

So, port knocking is secure as long as nobody is listening in anywhere at all between your computer and the remote computer?

Kickass security there. Wouldn't it just be easier to use telnet? Same level of security (just requires nobody between you and the end host), but at least it asks for a password, and a password has a lot more complexity than 65535^4 possibilities.

People smart enough to set up port knocking don't use it as a substitute for private/public key encryption, they simply use it to keep the system from having to fend off dictionary attacks, by keeping the target ports closed. Even after you knock a port open, you still need to authenticate.

apparently 99% of the people that do this dont do it right. i dont even allow WPS to be active on my routers and i tell business that i do work for to disable the feature for the fact that it is a security hole.. and UPnP is the worst idea that has been done including WPS fix the holes or get rid of the software and find something new...

The previous owner of the motel I work at got ripped off by a company that installed one of these 16 camera systems. The cameras never work right, and I knew something funny was was with the DVR when it said that you need IE and Active-X to watch it!

My current boss occasionally asks me to connect it up like the system his uncle (his boss) has, and I keep blowing him off, not because it would be hard, but because I'd both have to open a hole in the firewall to the outside world AND it would be fully accessi

The reason we have such a thing going on is because of stuff like this... this is why i like OSS because if there is a problem i know that it will be fixed immediately instead of waiting for a patch to be released 6 months later. im not worried about China spying on us however i would worry about it if our government allowed something to be imported from another country without going thru some sort of software test before being sold...

Awesome! So will we have a remake of Rising Sun with China as the antagonist instead of Japan?

Let's see, we can work in say a Chinese router manufacturer, and a major U.S. database manufacturer, which buys the tech for a major software platform like say Java, and tie in purchases of real estate by Chinese cartels under assumed names, and uh, the Chinese military of course, and we can have some hot Chinese or maybe Taiwanese-American engineer at some corporate lab or maybe U.S. university.. it all seems to b

A local electronics/computer chain (now bankrupt) had all their security webcams on an open wifi network, and all the webcams had the default administrator password ("admin" of course). From a bench outside I was able to see everything going on in the store without even guessing the admin password.

That these system will punch holes in a upnp capable router is part of the problem. Many people may not realize their DVR is even accessible from outside. Step number one on any home routers I setup is to disable upnp because malicious software also likes to punch holes.

Step number one on any home routers I setup is to disable upnp because malicious software also likes to punch holes.

UPNP can trivially allow incoming ports on the firewall. And so what? You allow outbound connections, don't you?

There is very little difference between malicious programs being able to create its own outbound connections and being able to accept inbound connections: In either case, the malicious software is able to communicate and can accomplish whatever nefarious task its creators envision.

Why would I trust a program to create connections but not enough accept them?

In practice, I leave UPNP turned on. If I were paranoid enough to disable it, I'd also be sufficiently paranoid to never, ever execute any code that I'd not written or reviewed myself, with a firewall that denies everything by default in both directions...and I just don't have time for that.

UPNP makes things work better: From BT to software updates to gaming on a PS3, UPNP helps keep the clusterfuck of NAT from being absolutely horrible.

So the score, so far, for UPNP seems to be this:

Problems that UPNP solves for me: Several.Problems that UPNP creates for me: None.

Meanwhile, TFA is more about the fact that some hardware devices that may never see a software upgrade have one or more security holes which can be exploited over the network...which is interesting and all, but really has nothing to do with UPNP: If such devices were secure and trustworthy to begin with, there would never be a reason to firewall them at all, let along worry about UPNP.

There is very little difference between malicious programs being able to create its own outbound connections and being able to accept inbound connections: In either case, the malicious software is able to communicate and can accomplish whatever nefarious task its creators envision.

Bullshit.
If your device has a reason to create an outbound connection, it is (for the most part) limited to one connection to one place for a specific purpose. (Disregarding intentionally buggered on-board software designed with malicious intent). So your cloths dryer can send you an email telling you its on fire, or your tablet can fetch your email, and stuff like that.
However, as pointed out in the present article, even a disbeliever like you should see that opening an inbound port is an entirely di

> An inbound port is open to the entire world, anyone can connect, and, (baring any on-device security),> they can do pretty much anything the device is capable of doing.

And 9 times out of 10, unless the homeowner couldn't figure out how to do it, any device that accepts incoming connections on a port probably has a port from the router's public IP address forwarded to its internal IP address *anyway*.

I wish to ${deity} that routers had a "reverse https proxy" function that would accept inbound https connections, strip the ssl, and transparently forward the traffic to the same port of an internal IP address where there's a device that's too stupid to know how to do SSL.

I couldn't sleep with the camera's red light blinking at me regardless of whether or not it was connected to the router at the time.

Easily fixed with tape or a pen.

It's how I fix the issue I have with 99% of all electronic equipment these days, as they seem to insist on being able to illuminate a room with their "LOOK AT ME!!!" lights. And I think that's the first time in pretty much forever, I've ever wanted to use the blink-tag.

It's how I fix the issue I have with 99% of all electronic equipment these days, as they seem to insist on being able to illuminate a room with their "LOOK AT ME!!!" lights.

The best feature of my NEC 2090UXi monitor (other than its beautiful IPS LCD panel) is that the power indicator can be adjusted from a glaring eye-burning blue to either amber or green, and then dimmed to such an extent that it ceases to be bothersome and becomes a useful status indicator. (These functions are part of its on-screen menu

Bullshit. If your device has a reason to create an outbound connection, it is (for the most part) limited to one connection to one place for a specific purpose. (Disregarding intentionally buggered on-board software designed with malicious intent).

You're disregarding exactly the situation the GGP post was describing as the reason he turned UPNP off. GP's reply was a reasonable response: if you're assuming that software inside your network is malicious, it doesn't need UPNP to cause mischief... it'll probably hook up to an IRC server or similar in order to accept incoming commands, so that isn't a good reason to disable UPNP.

Now, this situation is (presumably) not malicious, but that doesn't make GP's response invalid. OTOH, I have to query how rare

An outbound port is also open to the entire world: Hence, how your clothes drier can send you an email to tell you that it is on fire (and get a buffer overflow from a compromised SMTP server in exchange, possibly with the help of a poisoned DNS server, MITM attack, etc).

*shrug*

If a device can't be trusted to behave itself on the Big, Bad Internet, it probably shouldn't be trusted in a common LAN environment either (what, with WEP being trivially broken and WPA attackable with surprisingly small effort).

One is to disallow password authentication via SSH. Then you can have weak passwords locally on the machine, and use public key authentication for remote access.

A second one is to only allow remote access to a special account with a long password, and then, when logging in remotely, su to the main account with the short password. This is a bit brittle, but would work.

A third is to re-examine how you're using your system -- you probably don't actually need to suppl

Meanwhile, TFA is more about the fact that some hardware devices that may never see a software upgrade have one or more security holes which can be exploited over the network...which is interesting and all, but really has nothing to do with UPNP: If such devices were secure and trustworthy to begin with, there would never be a reason to firewall them at all, let along worry about UPNP.

The connection to UPNP is that these devices are needlessly exposing themselves to attack by automatically opening inbound ports through the router using UPNP.

The connection to UPNP is that these devices are needlessly exposing themselves to attack by automatically opening inbound ports through the router using UPNP.

And the root problem there is that the device itself is not secure, not that UPNP allowed the device to be attacked. That a device is going to be attacked should always be assumed as a given, whether or not it is exposed to the Internet as a whole.

If a device that is intended to operate on securely on a network, it had better actually do so securely.

The difference is simple (but huge). To allow a program or device to make an outgoing NAT connection, i have to assume that it is not malicious. To allow programs and devices map incoming ports via upnp i have to assume that it is not malicious AND it is not buggy enough to allow gazillion script kiddies access to my network. So thanks, but no thanks on the upnp front - i keep my open tcp ports to a minimum.

To allow a program or device to make an outgoing NAT connection, i have to assume that it is not malicious. To allow programs and devices map incoming ports via upnp i have to assume that it is not malicious AND it is not buggy enough to allow gazillion script kiddies access to my network.

You oversimplification is astounding. You act as if you've never heard of PDF, Java, Flash, browser-based, [...] exploits, when in fact there is a broad history of non-malicious programs with various bugs that can allow a

I did not say that closed TCP ports are an end to all security woes - i do not know where you took that from. I did not quote any probability of different attack vectors. I merely compared upnp on vs. upnp off situation and said that upnp off on the router is more secure than upnp on.

What you are saying, is essentially - "I have my front door key under the mat - and the only three people who used this key are people who i would have let in anyway. And that key under the mat is just common sense as the crook

To allow a program or device to make an outgoing NAT connection, i have to assume that it is not malicious. To allow programs and devices map incoming ports via upnp i have to assume that it is not malicious AND it is not buggy enough to allow gazillion script kiddies access to my network.

Your words, not mine.

The only sane approach (if there is a sane approach) is to mistrust every program, because a buggy program with network access is still buggy whether it can accept external connections or not: If uses

Again - all i said is that having upnp off is preferrable to having it on. I also hinted that the amount of buggy programs (PC software as well as software in devices like printers, DVRs, etc) is much larger than the amount amount of malicious programs.

I have not talked about any other security measures that are or are not, should or should not be in place. Instead of arguing my point - how and why is upnp on preferred to manually opening minimum number of ports - you attribute me a lot of things i have NOT

It's all about cost benefit. What is the cost to prevent outbound connections? It creates alot of work for me and something nasty is probably going to sneak out through a commonly allowed port.

What is the cost to prevent inbound connections, practically nil. If something wants in, I can make a judgement and allow it. I can limit the type of traffic or source of inbound traffic on a specific port. I don't have to trust random developer to use tight restrictions.

Of course anyone interested at all in security should have disabled UPnP a long time ago. There's hardly a point to having a firewall if any compromised application can ask for a nice big hole in it whenever it wants.

Or edit the timestamp so that the ATM camera shows you there at the time the cops know that the suspect in the "Chainsaw Castrator" case made a withdrawal. (No hackers involved, that I know of, but back in the early 1990s, the Daily News ran a front-page photo of the suspect in a serial rape case, based on ATM footage. Except, oops, the time stamp was wrong and the poor shmuck was completely innocent.) (http://www.nytimes.com/1991/08/16/nyregion/man-in-photo-is-not-a-suspect.html) Now, consider what could b